Southeast Asia's first enforcement of personal data legislation

AvantiKumar |
Sept. 14, 2012

13 criminal offences are included in Malaysia's Personal Data Protection Act, which is expected to be in force by the end of this year, says legal expert who advised the government during the drafting of the legislation.

Malaysia-based organisations and individuals making commercial use of personal data will come under the auspices of the Malaysia's Personal Data Protection Act (PDPA) by the end of the year and could risk being charged with up to 13 criminal offences, said the legal expert who advised the Malaysian government during the drafting of the act.

Speaking on 12 September 2012 at a media briefing by security solutions firm Symantec Malaysia, University of Malaysia professor of law Abu Bakar Munir said the strong deterrents were to help to encourage a more rapid compliance by organisations and individuals in Malaysia. "Those organisations or individuals who make use of data for commercial purposes need to be registered by the data protection agency, though these details are not yet finalised."

"Although the enforcement mechanisms and implementation of the PDPA are still under development, I have been assured that the implementation would start soon," he said. "The urgency for businesses to comply with the Act is increasing as all businesses are required to comply within three months upon the enforcement of the Act. Failing which would render the businesses liable to stringent penalties."

Penalties vary from fines of RM100,000 to RM500,000 (US$32,500 to US$162,000) as well as imprisonment terms of up to three years, depending upon the offence. "A director, chief executive officer, manager, secretary or similar officer of the body corporate may be charged jointly or severally, and the enforcement measures would include entry to premises without a warrant and the seizure of computer equipment."

Abu Bakar said the enforcement mechanisms would include a data protection commissioner, advisory committee, appeal tribunal, codes of practice, enforcement notice, prosecution processes, and the revocation of registration.

"There is a lot to do and time is running out," he said. "Organisations face the potential risk of breaches of the PDPA, which could damage the organisation's brand and reputation, as well as incur financial losses associated with loss of market share, negative publicity and deterioration in the quality and integrity of personal data due to reduced trust by their customers. And also important is the possible physical, psychological and economic harm to their customers."

He added that Malaysia was the first country in Southeast Asia to pass data privacy legislation (on 6 May 2010), and could also be first in the region to enforce such privacy laws. However, he admitted that the initial enforcement target of June 2012 has been missed.